Problems to open an AS400 client access session from a VPN client

sguerrero · ‎06-25-2002

Hello everybody:

I am using dial-up VPN client version 3.5 & pix firewall version 6.1(2), and I open the tunnel, I can ping the AS-400 but cannot open client access. The session screen does not appear eventhough the status in the AS400 shows that my VPN IP is connected and with the session open, but any screen is displayed.

My VPNs get an IP address from a pool, and I added an access-list to give permission to access any TCP and UDP port:

access-list acl_in permit tcp host 10.1.1.1 any

access-list acl_in permit udp host 10.1.1.1 any

What do I need to configure in the PIX or VPN client to open client access?

Thanks for any help-.

gfullage · ‎06-25-2002

If you can ping the AS400 then it shouldn't be a problem with access-lists. Make sure in the PIX you have the "sysopt connection permit-ipsec" command, then the IPSec traffic will bypass the ACL's anyway.

It could be an MTU related problem, although most of these were sorted out in the later VPN client. Can you ping the AS400 with large packet sizes (1400 and above)?

On your PC, try setting the MTU to a smaller value and see if that helps. In the VPN client directory, there's a program called setmtu.exe, run this and try setting it to 1400. Reboot and see if that fixes it. If not try a little lower.

sguerrero · ‎06-26-2002

It´s a good point what you say about the pings. Form the VPN client, I ping AS400 but most of the time I receive time out, only some times, I receive a reply. The same happens if I ping from the AS400, the response time shows 3000 ms or simply does not echo reply.

If I ping from any PC in a VLAN segment different than the AS400´s, I have the same status, timeouts and sometimes I receive echo reply, the same happens from the layer 3 switch. Actually I already added the IP route to reach my VPN segment in the layer 3 switch trough the inside´s PIX interface.

What could it be happening?